OpenSAML user discussion

[Brent Putman <>]

Pantvaidya, Vishwajit wrote:
> Finally I got back to this and am facing a problem with getting testshib to 
> use my key. I pasted my DSA key into my profile so that it looks like this:
>
>   

More below, but the key that you give the IdP would only be used by it
for validating signatures on signed messages you send, or on validating
certs that you present on client TLS.

> When I get the saml response from testshib it looks like this:
>
>   

Just to confirm: you are intending to do SAML 1.1, right, not SAML 2?

>
> So it seems like it is not using my key from the profile. Am I doing 
> anything wrong here?
>   

The IdP is signing the response with its key, not yours.  You need to
validate the signature with the IdP's key, which you obtain via some
out-of-band mechanism, for example by getting the metadata that it
publishes about itself.


> Also I see that it is not sending any attributes in the assertion. Can I 
> configure my profile to have it send those?
>   

In Shibboleth with SAML 1, the default is to not send an attribute
statement in the SSO assertion, because in the absence of encryption
support in SAML 1, those would be in the clear and that's an undesirable
default.  Instead the SP is expected to do an AttributeQuery to the
IdP's AttributeAuthority using the Subject from the SSO assertion.  It
*can* be configured to send attributes on SSO in SAML 1, but I'm not
sure whether or how TestShib in particular can be requested to be
configured to do that for a particular SP.   Nate can hopefully tell us
if that's possible

FYI, the Shib IdP default on SAML 2 SSO is to send an encrypted
Assertion, since SAML supports XML Encryption. That can also be changed
- either the default or on a relying-party specific basic - to not
encrypt and/or not include the attribute statement at all.  For that it
needs your encryption key, whcih btw can't be DSA b/c that doesn't
support encryption.  Pretty much have to use RSA for that.

--Brent